Windows Mobile 5 part 2

Back in November, I wrote about the Microsoft pr push for Windows Mobile 5 as a blackberry killer. Its been something we’ve been looking at more with the RIM/NTP judgment hanging over everyone’s head. I’ve learned a couple of interesting things since then.
Jason Langridge (MSDN)

1. Direct push is really http get heartbeats.
2. Requires opening 80 or 443 on the firewall. Microsoft feels that most companies will be fine with this because they already got insecure for rpc over https.

You had me at EHLO

“By eliminating the NOC, isn’t this solution less secure? This is among my favorite questions, and it’s usually followed up with some hand-waving about the connection to the enterprise “somehow” getting “hijacked.” The answer is, it is exactly as secure as the last online purchase you made with your credit card, exactly as secure as the last time you checked your email with OWA, and exactly as secure as the last time you used Outlook with RPC-over-HTTP. That is, we use SSL (which itself negotiates over-the-wire encryption using RC4 or 3DES) to communicate between the device and the server. I suppose that you could run this with SSL disabled, but you also risk a concussion if you run top-speed into a brick wall. Just a little fyi.”

First – bad analogy with making a credit card purchase online. If someone plays man in the middle and gets my credit card information, I’m not liable for fraudulent charges. Is Microsoft indemnifying me against hackers who get in through this new entrance into our network?
Second – Exactly as secure as OWA. External access to owa is protected by SecurID login on the ISA 2000 server. This solution doesn’t offer that protection. Requiring securID would ruin the ability to have an appearance of push email.
Third – As secure as RPC over HTTPS. Sadly that is true. We have not been able to use RPC over HTTPS because Microsoft has not provided support for securID authentication.
The question I would have is can the clients (phones) be given client certificates so that the SSL authentication is mutual?
Sometimes you have to open ports into the company to enable business functionality. Email and VPN are the primary examples. Each new entrance to the enterprise makes the network more difficult to defend. Given the difficulty in getting ISA in place, I dont see this happening particularly. Competing solutions may cost more, but they dont require use to open ports into our enterprise.